ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
- 1. Defense in DepthMichael A. DaGrossa - CISSP, CEH, CCEManaging Partner Business Risk mike@ion-e.comProprietary and Confidential
- 2. Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots.—Sun Tzu Proprietary and Confidential
- 3. Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected
- 5. the Defense in Depth approach builds mutually supporting layers of defense to reduce vulnerabilities and to assist you to protect against, detect and react to as many attacks as possible. By constructing mutually supporting layers of defense, you will cause an adversary who penetrates or breaks one layer of defense to promptly encounter another and another until unsuccessful in the quest for unauthorized entrance, the attack ends. To protect against different attack methods, you must employ corresponding security measures. The weakness of one security measure should be compensated for by the strength of another. Does your Business Look like thisProprietary and Confidential
- 13. And know the law of war and rules of engagement.Proprietary and Confidential
- 14. Why being compliant does not equal secure?Why secure does not equal compliant?Proprietary and Confidential
- 17. FDIC-FFIEC GLBA BITS To Name a FewINGEducation Credit Management CorpLincoln National CorpProprietary and Confidential
- 20. SkydivingThink of a corporate risk assessment as a life threatening scenario to appropriately perceive itProprietary and Confidential
- 21. We have a parachute, what could go wrong?Proprietary and Confidential
- 22. Standards, Controls and SecurityPrimary ChuteReserve ChuteAutomatic Activation Device (A.A.D.)Reserve Static LineAltimeterHelmet/Goggles/JumpsuitTrained professional assistanceProprietary and Confidential
- 23. Layers of Safety Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground. Proprietary and Confidential
- 24. What are we protectingData breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009.The average total per-incident costs in 2009 were $6.75 million.A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center.Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). About 44% of participating companies engaged an outside consultant to assist them over the course of the data breach incident.Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively).Source: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential
- 25. What are we protectingToo many times we get focused on only our roles for an engagementProblems with independenceKnowledgeCheck list approachSource: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential
- 26. What are we protectingSource: DatalossDB.orgProprietary and Confidential
- 27. What are we protectingSource: DatalossDB.orgProprietary and Confidential
- 28. What are we protectingSource: DatalossDB.orgDatalossDB.orgProprietary and Confidential
- 29. Senior management should:Clearly support all aspects of the information security programImplement the information security program as approved by the board of directorsEstablish appropriate policies, procedures, and controlsParticipate in assessing the effect of security issues on the financial institution and its business lines and processesProprietary and Confidential
- 30. Senior management should:Delineate clear lines of responsibility and accountability for information security risk management decisionsDefine risk measurement definitions and criteriaEstablish acceptable levels of information security risksOversee risk mitigation activities.Proprietary and Confidential
- 31. ControlsInternal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulationsProprietary and Confidential
- 32. Controls - COSO Control EnvironmentRisk AssessmentInformation and CommunicationControl ActivitiesMonitoringProprietary and Confidential
- 33. ControlsInternal controls may be described in terms of: a) the objective they pertain to b) the nature of the control activity itself.Auditors understand this Information Technology people do not Business does not eitherProprietary and Confidential
- 34. Controls - COBITIT GovernanceStrategic AlignmentValue DeliveryRisk ManagementResource ManagementPerformance MeasurementProprietary and Confidential
- 44. Controls - CISMInformation Security GovernanceInformation Risk ManagementInformation Security Program DevelopmentInformation Security Program ManagementIncident Management and ResponseProprietary and Confidential
- 46. Controls - PCIBuild and Maintain a Secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain Information Security PolicyProprietary and Confidential
- 47. Controls- ISO 27K27001 – ISMS27002 -Practices27003- implementation Guidance27004-Metrics27therest- defined up to 27037*27799-ISMS for Health SectorProprietary and Confidential
- 52. Management, security, risk, audit, and compliance professionals should:Look beyond the standardDetermine whether it is sufficient to manage the related risks to the organizationA start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk. Proprietary and Confidential
- 53. The Bad GuysAnti ForensicsExploitsSocial EngineeringInsidersOutsidersProprietary and Confidential
- 63. HighNew Internet AttacksPacket Forging& SpoofingStealth DiagnoticsSophistication of Hacker ToolsDDOSSniffersSweepersHijacking SessionsBack DoorsTechnical KnowledgeRequiredSelf-Replicating CodePassword CrackingPassword GuessingTime[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]Proprietary and Confidential
- 64. Social Engineering“Social Engineer Specialist” Because there is no patch for human stupidity- DeFconTshirtThe art of utilizing human behavior to breach security without the participant even realizing they have been manipulated. Proprietary and Confidential
- 65. Social EngineeringTechnical –Google, Maltego, PiPLNon-Technical-Poor Physical ControlsLack of Security Awareness TrainingLack of Policies and ProceduresWeak Employee ScreeningLack of Management SupportPoor Controls on Data Proprietary and Confidential
- 66. Social EngineeringPeople are the weakest linkDesire to be helpfulFear of getting in troubleTendency to trustDesire to be successfulProprietary and Confidential
- 71. Insider-Watch ForSome Kind of ActivityRevealing information not directly observableNoticedSignificance Recognized Proprietary and Confidential
- 72. Insider-HRMonitoring included in PolicyClearly defined processes to include HR, Legal, Security and ManagementUnderstand the evolving privacy statutory requirementsProprietary and Confidential
- 74. Risk ModelingKnow your Risk Formulas (ALE=AROxSLE)(EV*AV)SusceptibilityImpactRisk = MaterialityProprietary and Confidential
- 76. Attack MethodologyPhase I: Reconnaissance Phase II: Enumeration Phase III: Vulnerability Analysis Phase IV: ExploitProprietary and Confidential
- 78. Case Study #1:Defense ContractorInvestigationData LeakageResultsTargeted Spear PhishingBreakdownAVDLPFirewall/IDSIncident responseProprietary and Confidential
- 79. Case Study #2:InsuranceInvestigation Data LeakageResultsLoss of ACL, Passwords, Intellectual CapitalBreakdownSecurity AwarenessImproper Access ControlDLPIDS/IPS/HIDSProprietary and Confidential
- 80. Case Study #3:HealthcareInvestigationOutside HackResults Loss of proprietary informationLoss of reputationCompany ended up closing shopBreakdownInternal IT Violated controls set in place through HiPAAProprietary and Confidential
- 81. Questions and AnswersMichael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE 19711www.ion-e.comwww.linkedin.com/in/dagrossawww.deinfragard.comProprietary and Confidential
Editor's Notes
- AV Med, 20000-Laptop, Kinetic – 4000 people through wrong email attachment,UPMC Hipaa violation, stolen records
- Section 501, ING600000 (Multiple laptop losses, now encryption) ECMC 330000
- Accessing others information
- Clients know there is problem and ask for advice.
- Near 1 Billion dollares. ¼ breaches are laptops
- Don’t be confused by the Society of Payment security professionals
- Rune-Hide data in bad blocks inode, Wafen-Hide data in spoofed journal file, KY-Hide Data in Null directory entries, Data Mule-Hided data in reserved space.
- Attacker-Centric
Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets.
Software-Centric
Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle.
Asset-Centric
Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.